There are four flows defined in the specification:

• Authorization code flow:
  • One-time code issued to client
  • Client redeems code for access token
  • Access and ID token
  • Used for server-side apps
  • Authorization code flow with proof key for code exchange (PKCE) for native/mobile applications
• Client credentials flow:
  • Authenticates the client, not the user
  • Client receives an access token for itself
  • Does not support refresh tokens
  • Recommended for client applications with no end user (machine-to-machine communication)
• Resource owner password flow:
  • Client collects username/password from user
  • Exchange username/password for access token
  • Used if you control the client application and the resource
  • Typically used in online services, where the online service client app talks with the own service
• Implicit flow:
  • Client is untrusted (public)
  • No refresh token issued
  • Recommended to use for Single Page Applications (SPA)

You can use the following resources to deploy several OAuth 2.0 examples with your on-premise ADFS infrastructure:

https://docs.microsoft.com/en-us/windows-server/identity/ad-fs/development/enabling-oauth-confidential-clients-with-ad-fs

https://docs.microsoft.com/en-us/windows-server/identity/ad-fs/development/native-client-with-ad-fs

Work through the following examples with Azure AD to get deeper into the different flow types:

• OAuth 2.0 implicit grant flow: https://docs.microsoft.com/en-us/azure/active-directory/develop/v1-oauth2-implicit-grant-flow
• OAuth 2.0 auth code grant flow: https://docs.microsoft.com/en-us/azure/active-directory/develop/v1-protocols-oauth-code
• OAuth 2.0 On-Behalf-Of flow: https://docs.microsoft.com/en-us/azure/active-directory/develop/v1-oauth2-on-behalf-of-flow
• OAuth 2.0 client credentials flow: https://docs.microsoft.com/en-us/azure/active-directory/develop/v1-oauth2-client-creds-grant-flow

The next section provides you with information about the authorization code flow.